- Newest
- Most votes
- Most comments
The "p=" with no value after the equals sign is actually a valid DKIM key record and it's not a problem. This is called a null DKIM record.
The three DKIM TXT records are for key rotation purposes - active, passive, and pending. AWS SES automatically rotates your DKIM keys every 90 days. The key rotation process involves a period where AWS publishes two active keys for your domain, the old one and the new one. After the new key propagates and AWS confirms its deployment, the old key becomes passive. After AWS confirms the passive key is no longer used for verification, AWS deletes the passive key and publishes a new pending key.
During the rotation process, one of these TXT records would be the active key and it would have a "p=" tag followed by the public key value. The other two TXT records, the passive key and the pending key, would have a "p=" tag with no value, which means these are null DKIM keys.
Null DKIM records are part of the DKIM standard and used to signify that a particular selector is not currently being used for signing. They are safe to ignore.
So what you're observing is expected behavior and you shouldn't be concerned about it. AWS SES is managing your DKIM keys and rotating them automatically.
Remember, however, to ensure that the "p=" tag with the public key value is indeed present in one of your three TXT records. If none of the records contain a value for the "p=" tag, then you have an issue and you might want to reach out to AWS support.
Relevant content
- asked 5 months ago
- Accepted Answerasked 2 years ago
- asked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
Thank you so much for the detailed explanation! I really appreciate it!